Last March, the Financial Action Task Force (FATF) issued a Public consultation on FATF draft guidance on a risk-based approach to virtual assets and virtual asset service providers. Their high-level objective is simple: to update its Guidance on the risk-based approach to virtual assets (VAs) and virtual asset service providers (VASPs).
As long-time players in the crypto industry, the decision to participate in the consultation was an easy one. The Guidance is an extremely important piece of international policy for our industry; it sets the pace for all member states of FATF on how to treat and deal with anti-money laundering and terrorist financing issues when it comes to cryptocurrencies and VASPs.
… we support the FATF’s overarching objectives of updating its pre-existing Guidance in a manner that maintains a level playing field for VASPs, minimizes opportunities for regulatory arbitrage, and preserves the intended technological neutrality of the FATF Standards. However, in our view, further revisions are required to ensure that the updated guidance achieves these objectives without going beyond the requirements of the FATF Standards or introducing elements that will have undesirable or intended consequences.
The consultation presents five different areas of focus for participants to comment. For the purposes of keeping this post simple, we will only summarize the responses.
In general terms, the Veriscope Secretariat sees several omissions or shortcomings in the proposed guidance. Should these remain in the updated guidance and become policy, the development, adoption and improvement of blockchain technology and cryptocurrencies as a nascent industry will be at risk.
If you want to read the complete document, please click on the following link: Response by the VERISCOPE Secretariat & Shyft Network.
The revised Guidance expansive approach to the definition of VASP appears to be inconsistent and its scope could potentially lead regulators to consider, for example, key signers for Decentralized Autonomous Organizations (DAO’s), as VASPs, regardless of their ability, or lack thereof, to participate in the decision making process and custodial obligations.
We see unintended consequences from this that could move to eliminate key signers from these processes which can further lead to security vulnerabilities at the smart contract level (putting innocent users of these systems at risk), and could introduce innovative obfuscation techniques that further eliminate governance methods that play important roles in transparency and functionality.
Here’s an example of how this approach can create unnecessary complexity or, worse, roadblocks in the development of solutions for better financial inclusion: Key signing entities in community-run asset pools in DeFi protocols do not have the ability to verify the destination of fund transmissions, and, at times, these signing parties are involved in the blind transmission of assets through autonomous routes. We proposed a review of the definition of control and the role of key signers entirely in the process of transmission.
In addition, the expanded guidance touches on the role of developers, and the distinction between development companies in contrast to open source software developers (a very common occurrence in our space), is unclear to the point of being blurred.
It should be noted that in the event this was to be true, even public protocols that are being designed today to solve FATF guidance and travel rule requirements would therefore be VASPs. This would lead to a massive slow down in current timelines and the ability for the industry to utilize smart contract native systems in enabling effective methods of risk mitigation for regulatory purposes.
Our recommendation to the FATF is to redraft the areas that describe “developers” making a clear distinction between development companies and individuals paid on a fee basis. The blockchain space has grown, in many ways, thanks to open-source software and independent contractors; it’s imperative that we defend and promote this practice.
We think that the measures and controls in the draft guidance will not mitigate the ML/TF risks that might emerge when P2P transactions gain widespread acceptance. Most of the proposed measures will place additional obligations on VASPs and other obligated entities, resulting in minimal impact of mitigating the ML/TF risks of P2P transactions of unhosted wallets.
We support the recommendation that countries would consider ways of mitigating ML/TF P2P transaction risks through blockchain analytics. We encourage the FATF to further explore how blockchain analytics and other innovative technological solutions can provide greater visibility over P2P transactions between unhosted wallets.
We believe that further clarity is needed around the FATF’s expectations of VASPs when transacting with unhosted wallets since the recent drafting suggests that the transactions should be treated as higher risk without providing a supporting rationale.
Based on our reliance on VASPs and their role as the verifying entities of the largest amount of KYC’s users in the space, we proposed that the FATF allow time for travel rule solutions to work directly on unhosted wallet discovery as well as VASP discovery before determining risk profiles and mitigation methods that may inaccurately assume the risk and hinder growth.
The revised FATF Guidance is generally helpful in confirming the applicability of VASP regulations to stablecoin issuers. However, when it comes to the specific details of comparing stablecoin issuers to other VASPs, particularly for the purpose of conducting an AML/CFT risk assessment, there are several aspects of the Guidance that appear to reflect a misunderstanding of how centrally administered stablecoins function. We believe that conducting an accurate risk assessment of stablecoins is contingent upon having a thorough understanding of how these products currently function, in practice.
Stablecoins have become an essential element in the crypto industry, with billions of $USD in volume being transacted through them. The FATF’s understanding of the key features of stablecoins is somewhat limited to them being a volatility avoidance instrument. We expanded on this definition and discussed that their true nature is speed, reliability and low cost for cross-border transactions. Their usability is not limited to issues related to virtual assets, rather, to limitations of cross-border banking.
Our position, in general terms, is that the risks of stablecoins and their issuers are analogous to the risks of VAs and other VASPs and that prior guidance was already sufficient to mitigate these potential risks. New recommendations by the FATF necessitate an updated risk assessment of this sector.
One important element that we identified and discussed was the licensing or registration of VASPs in the applicable jurisdiction. We view this, and the suggestion that local authorities impose conditions on VASPs seeking a license to be able to be supervised as an unfair adaptation of prudential and market conduct requirements for traditional financial institutions unfit for purpose in an AML/CFT context for the VASP sector.
We believe that the only way to effectively enable compliance in this new realm is to allow for data-collecting centralized intermediaries, to be able to represent users and act as data custodians of that data, while allowing users to passport across decentralized applications.
Rather than imposing requirements, we recommended that the FATF follows a similar path as it did with money or value transfer services (MVTS), which, like VASPs, may have no physical presence in the country where a transaction is sent or received. In its risk-based approach guidance for MVTS, the FATF encourages competent authorities in the host and home jurisdictions to liaise as appropriate to ensure any ML/TF concerns are adequately addressed. We believe that this would be a more appropriate approach in the VASP context that would ensure a more level playing field among AML/CFT-obliged entities and would reinforce the FATF’s principles of information-sharing and cooperation amongst VASP supervisors.
We also commented on the risk assessment requirement the FATF seeks to implement. To this point, we asserted that the currently available framework is insufficient in helping the industry identify, assess and understand their ML/TF risks. The crypto industry is rapidly evolving and, unlike the traditional financial sector, hasn’t developed effective controls over decades of experience and operations. That said, industry stakeholders are already initiating a risk assessment exercise and welcome the FATF to an open dialogue.
As it pertains to the approach to effective regulation, we believe that the FATF will likely need a fundamentally different approach to regulation.
When it comes to decentralized systems and smart contracts that do not, and cannot, centralize the data collection and compliance processes that traditional intermediaries hold, we need to look at new approaches to compliance and KYC verification. This is especially true for Decentralized Finance (DeFi).
Systems are being built today that allow us to decentralize or passport the identities and KYC data sets of users across smart contracts and noncustodial wallets. We believe that the only way to effectively enable compliance in this new realm is to allow for data-collecting centralized intermediaries, to be able to represent users and act as data custodians of that data, while allowing users to passport across decentralized applications. These systems can allow us to have source nexus points for user validation and onboarding, but still allow those users (represented by the public addresses they use today to move assets) to utilize smart contract applications while leveraging reliance on the source data stores and validating onboarding entities. This will be the future of how compliant opt-in systems work across this ecosystem and can solve many of the largest risks and threats that are inherent from an AML/CFT perspective.
While this infrastructure is currently being developed in systems like Shyft Network among others, we believe that users should not be required to take on compliance or sanctions obligations directly. These systems, when they are solely in the non-custodial realm, are extensions of bearer instruments like cash, and effective regulation needs to focus its efforts on the on-ramps and off-ramps (like that of the traditional financial system) without requiring innocent civilians to take on compliance obligations and the responsibility of sanctions requirements.
Decentralized systems should be looked at largely as public utilities and enhancements to the utilization of digital bearer instruments that are designed to invoke user freedom and the betterment of individual choice, while still ensuring law enforcement has the ability to effectively address illicit activity. Our ability to ensure these networks do not unintentionally transition to deeper levels of obfuscation is critical in this current time to ensure we can maintain visibility and transparency into how these networks publicly function. Regulations can help maintain this visibility in collaboration with this technology, or hinder it if we do not act collaboratively and cautiously to nurture its benefits.
